Risk-Based Security

Cyber security is a risk management process.

In it’s simplest form, that’s it. People worry about it and are afraid of it because it’s so technically complex and broad. Once you get past that tech and complexity, it’s just managing risk. If you have a good resource to find and present the risks, you can easily make those risk management decisions yourself. You already do it for operations, finances, and other areas.

Providing that bridge between the technical aspects and the real risk to your business takes more than just scans and compliance checklists though. That’s the concept that I spend the most time trying to communicate. A vulnerability scanner will just tell you where a few of the vulnerabilities exist and a very generic severity rating of that vulnerability in a vacuum (to borrow a phrase from physics). Since these scanners only cover the technical areas of IT, they don’t give you a true view of your overall security posture. The real work comes from understanding what that vulnerability means to your business. Is it on a critical server that holds financial or healthcare records or is it on the system used by employees to clock in and clock out? That makes a big difference in how you prioritize a fix or even spend money and time to fix it.

Additionally, many people don’t apply the KISS (keep it simple, stupid) principle. From the article:

“Companies often fixate on macro events like nation-state attacks when they are far more likely to be breached by a random malware attack like WannaCry. Companies too often don’t take the simple measures to protect themselves as much as they should against the more likely threats.”

This is another huge misconception I work hard to correct with small business clients. They are far more vulnerable to automated and drive-by types of malware than they are to nation state hacking or the (buzzword alert) “advanced persistent threat”. While it’s fun to think of the James-Bond-esque attacks, it’s more realistic to protect against the mundane and highly automated ones.

When you think of cyber security in a risk management sense, you have distinct steps in an on-going process:

Start by defining your most critical assets

What do you have that’s most important to your business (e.g., equipment, computers, information, intellectual property, processes, reputation, etc.)?

What types of information do you process and store? Are any of these in protected classes (e.g., financial, healthcare, etc.)?

What do you have that would be most desired by an attacker?

Next, List the threats to those assets (you may want some outside help for this)

Are those threats coming over the Internet?

Are they more likely to attempt a physical attack on your facility?

Are they trusted insiders? (don’t discount the insiders, they can pose threats intentionally and unintentionally)

Then document the weaknesses in your business that could be exploited to disrupt those critical assets or steal that sensitive information

Test and assess your technical and IT weaknesses

Determine the risks from your people and in your processes

How secure is your building? How well do you protect documents, IT systems, and other media?

Finally, prioritize those weaknesses and vulnerabilities by the criticality of the assets and the likelihood they will be targeted by the threats to your business.

With this risk-based mindset, you will be much better prepared to defend against cyber threats while spending much less time and money to get there. You won’t be trapped in the frustrating and ineffective scan-patch-scan cycle trying to get to a zero-vulnerability report. And you will be much less likely to miss the real vulnerabilities that could get you in trouble.

Need some help determining your critical assets, vulnerabilities, and threats?